I placed if(isset($_POST[DEMONONCE]['submitted']) && !wp_verify_nonce($_POST['name_of_nonce_field'], 'name_of_my_action')){
return;
} before displaying the form and placed <?php wp_nonce_field('name_of_my_action', 'name_of_nonce_field'); ?> in the form tag.

I'm still not sure if this is all okey. What strings should I put for 'name_of_nonce_field' and 'name_of_my_action' ? Could they be whatever I name?

And what else should I do besides nonces for creating a more secure administration page?

basename(FILE) just uses the current filename (eg: plugin_options.php) to create the nonce string. You need to provide a string that the nonce function will use to create a number unique to your task. The string you use to create the nonce number needs to be the same string you use check it.

You could create a custom string as well, for example: "demononce9384374", as long as you can use it to create the nonce and then check it later. It can remain constant in your plugin, it doesn't ever need to change. The nonce uses other variables to change the nonce string such as user id and time.

So in my example, "basename(FILE)" is my string, and will remain constant unless I am setting and checking in two different files, then it would cause a problem.

So your example should work great.

I think you are pretty covered. Outlining the correct capabilities (manage_options) in your "add_options_page" function and correctly checking the nonce should be good.

Edit: Escaping

It just occurred to me that I left a topic of security: Escaping

When you are outputting information to the page that has been submitted by a user, even on the backend.

These two functions are what I use most:
esc_attr() & esc_html()

You can also add translation with esc_attr__() or esc_attr_e() & esc_html__() or esc_html_e()